Subscribe to Virus Experts – We Make Your Digital Life Secured RSS FeedSubscribe to Virus Experts – We Make Your Digital Life SecuredComments FEED

Browse > Home /

Adobe products struck by zero-day attacks

June 6, 2010 by admin  
Filed under Security News

Leave a Comment

Adobe’s products are once again in the firing line, as hackers are reportedly exploiting critical unpatched vulnerabilities in the products Adobe Reader, Acrobat and Flash Player.

 

Adobe has published a security advisory describing the problems which affect users regardless of whether they’re running Windows, Mac OS X, Linux, Solaris or UNIX.

 

Adobe has labelled the zero-day vulnerabilities as “critical”, the most serious rating it has.

 

Adobe says that Adobe Reader and Acrobat version 8.x are not vulnerable, and that the Flash Player 10.1 release candidate “does not appear to be vulnerable”.

 

Although Adobe has published a way to mitigate the problem for Adobe Reader and Acrobat 9.x for Windows, the workaround is clearly not ideal:

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

 

Read More…


Tags: , , , , , , , , ,

Don’t click on ‘Paramore n-a-k-ed photo leaked!’ Facebook link

June 5, 2010 by admin  
Filed under Security News

2 Comments

Updated Many Facebook users are being hit by further clickjacking attacks today, taking advantage of the social network’s “Like” facility.

 

The latest lure is a link which claims to point to a website containing a naked photo of Hayley Williams, the lead singer of the American rock band Paramore.

 

Affected profiles can be identified by seeing that the Facebook user has apparently “liked” a link:

Paramore n-a-k-ed photo leaked!

paramore naked photo leaked like Dont click on Paramore n a k ed photo leaked! Facebook link

 

The fact that 21-year-old Hayley Williams has recently been the subject of much internet interest after a topless photo of her was leaked online, is only likely to fuel interest in the naked pictures promised by these links. But take care, because all may not be what it seems.

 

Clicking on the links takes Facebook users to a third-party website which displays a message saying:

Click here to continue if you are 18 years of age or above

paramore age check Dont click on Paramore n a k ed photo leaked! Facebook link

What the hackers have actually done is very sneaky. They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked. As a consequence, when you click with the mouse you’re also secretly clicking on a button which tells Facebook that you ‘like’ the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally.

 

Attacks like this can spread very very fast. Judging by the number of messages I’ve seen, thousands have already found it impossible to resist the idea of seeing the lead singer of Paramore naked and have fallen head-first into the “likejacking” trap.

 

This use of a clickjacking exploit to publish the same message (via an invisible iFrame) to the visiting user’s own Facebook page works in a similar fashion to the clickjacking attacks we saw earlier this week.

 

Read More…


Tags: , , , , , , , , , , , ,

Transport website leaking private information of 168,000 passengers

May 19, 2010 by admin  
Filed under Security News

Leave a Comment

A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.

 

A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.

 

However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.

 

The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.

 

Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.

 

(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).

 

There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.

 

Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:

temporarily unavailable website Transport website leaking private information of 168,000 passengers

I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

 

By Graham Cluley, Sophos

 

Tags: , , , , , , , , , , , , , , , ,